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ADJOINT REPRESENTATIONS OF BLACK BOX GROUPS 

PSL 2 (F,) 


ALEXANDRE BOROVIK AND §UKRU YALQINKAYA 


Abstract. In the area of computational group theory known as “black box 
group theory”, the following problem by Babai and Beals [2] Problem 10.1] 
remained unsolved since 1999: 

Given a black-box group known to be isomorphic to PSL 2 (p fc ), find 
an element of order p. 

We present a probabilistic algorithm that solves this problem in odd charac¬ 
teristic p. The running time of the algorithm is polynomial in k and logp if p 
is known, or linear in p and polynomial in k if p is not known. Our algorithm 
also finds the characteristic of the underlying field when it is not given as an 
input. 

More generally, given a global exponent for a black box group Y (that is, 
an integer E such that y E = 1 for all x G Y) encrypting PSL 2 over some 
finite field of unknown odd characteristic p , we construct, in probabilistic time 
polynomial in log E, 

• a black box group X encrypting SO 3 over the same field as Y and an 
effective embedding Y <—»■ X; 

• a black box field K, and 

• polynomial time, in log.E, isomorphisms 

so 3 (k) —>x—>so 3 (k). 

Moreover, if p is known and F is a standard explicitly given finite field isomor¬ 
phic to the field on which Y is defined, then we construct, in time polynomial 
in log E, isomorphism 

S0 3 (F) —>so 3 (k). 

We implemented our algorithms on GAP for groups such as PSL< 2 (F) for 
|F| = 5463458053 (a prime number). 

Unlike many papers on black box groups, our algorithms make no reference 
to Discrete Logarithm Oracles or SL 2 -oracles. Moreover, in case of small odd 
characteristics our result acts as an SL 2 -oracle because effective recognition of 
black box finite fields is equivalent to effective recognition of black box fields 
of prime order p, with the latter solvable in time linear in p. 

Our algorithms are Monte Carlo, but become Las Vegas if some additional 
information about Y is given, for example, the order of the ground field F. 


1. Introduction 

1.1. The principal results. Black box groups were introduced by Babai and Sze- 
meredi [1] as an idealized setting for randomized algorithms for solving permutation 
and matrix group problems in computational group theory. A black box group X is 
a black box (or an oracle, or a device, or an algorithm) operating with 0-1 strings 
of uniform length which encrypt (not necessarily in a unique way) elements of some 
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finite group G. In various classes of black box problems the isomorphism type of 
G could be known in advance or unknown. 

All black box groups in this paper are assumed to satisfy Axioms BBT BB4 from 
Sections |2. 1 1 and [2721 although all algorithms in this paper work under weaker axioms 
BB1-BB3 and BB5 (the latter is from Section [2731) . In particular, we assume that 
for every black box groups X we are given a global exponent, that is, an integer E 
such that x E = 1 for all a; € X. 

We propose an algorithm which solves the old problem by Babai and Beals [2] 
Problem 10.1] that remained open since 1999. We prove the following theorem. 

Theorem 1.1. Given a global exponent E for a black box group Y encrypting PSL 2 
over some finite field of unknown odd characteristic p, we construct a non-trivial 
unipotent element in Y in time linear in p and polynomial in \ogE. In particular, 
we find the characteristic p of the underlying field. 

If the characteristic p is known in advance, then we construct a non-trivial unipo¬ 
tent element in Y in time polynomial in log E. 

In case of p = 2, the Babai-Beals problem has been solved by Kantor and Kass- 
abov [22], we briefly discuss its version in Section 13.81 as an illustration of our 
methods. 

Note that, in the first part of the statement of Theorem ll.il we do not have any 
information about the ground field of the group Y. However, we use some form 
of an upper bound on the size of this field which is implicitly present in the global 
exponent E. 

In the special case of matrix groups, Theorem 11.11 takes the form that also re¬ 
mained unknown until now. 

Corollary 1.2. Given matrices gi,...,g m in a group GL„(F) of matrices over a 
finite field of odd characteristic p which generate subgroup G isomorphic to 
SL 2 (F p i), we can find in G a non-trivial unipotent element in probabilistic time 
polynomial in k,l,m,n and logp. 

Our next result is the solution to the problem of recognizing a black box group 
encrypting PSL 2 defined over a held of unknown odd characteristic. 

Theorem 1.3. Given a global exponent E for a black box group Y encrypting PSL 2 
over some finite field of unknown odd characteristic p, we construct, in probabilistic 
time polynomial in log E, 

• a black box group X encrypting SO 3 over the same field as Y and an effec¬ 
tive embedding Y X; 

• a black box field K, and 

• the following isomorphisms 

so 3 (K) ^x^so 3 (K). 

If p is known and F is the standard explicitly given finite field of characteristic p 
isomorphic to the field on which Y is defined, then we also construct, in log E-time, 
an isomorphism 

S0 3 (F) —► S0 3 (K). 

Since, by Theorem 11.11 we can find the characteristic p of the underlying Held 
in time linear in p and polynomial in log FI, we have a stronger result in small odd 
characteristics: 
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Corollary 1.4. We construct, in time linear in p and polynomial in log E, an 
isomorphism 

X <■—* S0 3 (F), 

where F is the standard explicitly given finite field. 

In particular this means that, in small odd characteristics, our algorithm fully 
replaces the so-called “SL 2 oracle”, an assumption of existence of two-way polyno¬ 
mial time isomorphism between arbitrary black box group encrypting SL 2 (F p fc) and 
the group SL 2 (F p it) over the standard explicitly given field F p it. The first use of an 
“SL 2 oracle” appeared in 2001; quite a number of papers referring to SL 2 oracles 
followed. 

1.2. A very brief outline of the proof. The proof of Theorem 11.31 will be 

achieved as a sequence of steps some of which are interesting on their own. 

(a) We embed 

Y 4 X, 

where X encrypts S0 3 (F), see Theorem 14.II 

(b) Using involutions in X, we construct a black box projective plane fp that 
encrypts the projective plane of the 3-dimensional space of adjoint repre¬ 
sentation of PGL 2 (F) ~ S0 3 (F) on its Lie algebra [ = sl 2 (F). 

(c) We coordinatize fp by homogeneous coordinates over a black box field K 
constructed in the projective plane *p. 

(d) We use the action of X on fp to construct a matrix representation 

X^S0 3 (K). 

(e) Coordinatizing S0 3 (K) in a similar way, we construct an isomorphism 

S0 3 (K) — X. 

(f) The map 

S0 3 (F) — S0 3 (K) 

is constructed from the canonical isomorphism 

F-►- K 

from the standard finite field F onto a black box field K; this isomorphism 
is polynomial time and exists due to a result by Maurer and Raub m 
formulated in our paper as Theorem 12.21 (the complexity of the inverse 
isomorphism is unknown). 

1.3. Monte-Carlo algorithms. Recall that a Monte-Carlo algorithm is a ran¬ 
domized algorithm which gives a correct output to a decision problem with prob¬ 
ability strictly bigger than 1/2. The probability of having incorrect output can 
be made arbitrarily small by running the algorithm sufficiently many times. A 
Monte-Carlo algorithm with outputs “yes” and “no” is called one-sided if the out¬ 
put “yes” is always correct. A special case of Montes-Carlo algorithms is a Las 
Vegas algorithm which either outputs a correct answer or reports failure. A de¬ 
tailed comparison of Monte-Carlo and Las Vegas algorithms, both from practical 
and theoretical point, can be found in PQ. 

By the nature of our axioms, all algorithms for black box groups (in the sense of 
Axioms BB1- BB4 and BB5) are Monte-Carlo. In most applications, our algorithms 



4 


ALEXANDRE BOROVIK AND §UI<RU YALQINKAYA 


can be easily made Las Vegas if additional information of some kind is provided 
about X -for example a set of its generators, that is, strings in X which represent 
a generating set of the group G encrypted by X, or the order of the field F. 

The results of this paper suggest that the distinction between Monte-Carlo and 
Las Vegas probabilistic algorithms is external to the structural theory of black box 
groups although, of course, it remains quite natural and crucially important in its 
concrete applications. 

1.4. Terminology and notation. In what follows we make extensive use of the 
language of projective geometry, see, for example Coxeter m and Hartshorne [20!. 
Group theoretic terminology mostly follows [T 8 ] . 

1.5. Organization of the paper. In Section^ we discuss the axioms of black box 
groups and black box fields. We also prove the Tonelli-Shanks algorithm for black 
box groups. In Section [3j we introduce morphisms and protomorphisms of black 
box groups and the procedure called the reification of an involution. We also explain 
how our arguments work in the even characteristic producing a unipotent element 
in PSL 2 ( 2 ra ). In Section [2 we prove a theorem about constructing a black box 
group encrypting SO 3 from a black box group encrypting PSL 2 . In Section [5l we 
discuss the geometry of involutions in SO 3 and in Section [ 6 J we construct the black 
box projective plane. In Section [7] we summarize the procedures we can handle in 
the black box projective plane. In Section [H we construct a black box subgroup 
encrypting Sym 4 in a black box group encrypting SO 3 and in Section [9l we apply 
Hilbert’s coordinatization to the black box projective plane and construct a black 
box field. In Section flOl we prove Theorem 11.11 and in Section fTTl we prove Theorem 
II.51 In Section Q21 we present the complexities of the procedures presented in this 
paper. Finally, in Section fldl we make a few remarks about possible improvements 
in our algorithms. 


2. Black box groups 

2.1. Axioms for black box groups. The functionality of a black box X for a 
finite group G is specified by the following axioms. 

BB1 X produces strings of fixed length 1(X) encrypting random (almost) uni¬ 
formly distributed elements from G; this is done in probabilistic time poly¬ 
nomial in /(X). 

BB2 X computes, in probabilistic time polynomial in i(X), a string encrypting 
the product of two group elements given by strings or a string encrypting 
the inverse of an element given by a string. 

BB3 X decides, in probabilistic time polynomial in /(X), whether two strings en¬ 
crypt the same element in G —therefore identification of strings is a canon¬ 
ical projection 

7r 

X .► G. 

We shall say in this situation that X is a black box over G or that a black box X 
encrypts the group G. Notice that we are not making any assumptions of practical 
computability or the time complexity of the projection 7 r. 

A typical example of a black box group is provided by a group G generated in a 
big matrix group GL„(r fc ) by several matrices g±,... ,gi- The product replacement 
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algorithm [133 produces a sample of (almost) independent elements from a distri¬ 
bution on G which is close to the uniform distribution (see a discussion and further 
development in 

EHmUMEDBiBIEI). We can, of course, multiply, invert, com¬ 
pare matrices. Therefore the computer routines for these operations together with 
the sampling of the product replacement algorithm run on the tuple of generators 
(< 71 ,..., gi) can be viewed as a black box X encrypting the group G. The group 
G could be unknown—in which case we are interested in its isomorphism type—or 
its isomorphism type could be known, as it happens in a variety of other black box 
problems. 

The concept of a black box can be applied to rings, fields, and, as we can see in 
this paper, even to projective planes. 

2.2. Global exponent and Axiom BB4. Notice that even in routine examples 
the number of elements of a matrix group G could be astronomical, thus mak¬ 
ing many natural questions about the black box X over G —for example, finding 
the isomorphism type or the order of G —inaccessible for all known deterministic 
methods. Even when G is cyclic and thus is characterized by its order, existing 
approaches to finding exact multiplicative orders of matrices over large finite fields 
are conditional and involve prime factorization of large integers. 

Nevertheless black box problems for matrix groups have a feature which makes 
them more accessible: 

BB4 We are given a global exponent of X, that is, a natural number E such that 
tt(x) e = 1 for all strings a; £ X while computation of x E is computationally 
feasible (say, log E is polynomially bounded in terms of log |G|). 

If we know factorization of E into prime factors, we can find the order of any 
element x £ X as the minimal divisor e of E such that x e = 1. However, we wish 
to work with linear groups over fields of large characteristic where factorization of 
E is becoming unfeasible. Our approach allows us to avoid determination of orders 
of random elements from X and consequently avoid making any assumptions about 
the prime factorization of the global exponent. 

For a black box group X arising from a subgroup in the ambient group GL n (r k ), 
the exponent of GL n (r fc ) can be taken for a global exponent of X. 

2.3. Axiom BB5. Our last comment on the axiomatic of black box groups is an 
observation that in almost all our work in this and subsequent papers JBJ QHl [SI OS] 
Axiom BB4 can be replaced by its corollary, Axiom BB5. 

BB5 We are given a partial 1- or 2-valued function p of two variables on X that 
computes, in probabilistic time polynomial in /(X), square roots in cyclic 
subgroups of X in the following sense: 

if a; £ X and y £ (x) has square roots in (x) then p{x, y) is the 
set of these roots. 

In particular, 

• if \x\ is even, p(x, 1 ) is the subgroup of order 2 in (x); 

• if |x| is even, then, consecutively applying p{x, •) to 2 -elements in (x), we 
can find 2 -elements in (x) of every order present; 

• if |x| is odd, and y £ (x) then p(x,y) is the unique square root of y in (x). 

We emphasize that Axiom BB5 provides everything needed for construction of 

centralizers of involutions by the maps £0 and [7]. 
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Axiom BB5 follows from BB4 by the Tonelli-Shanks algorithm [35] [36] applied to 
the cyclic group (x) , see the next lemma included here for completeness of exposition 
(usually the Tonelli-Shanks algorithm is formulated only for multiplicative groups 
of finite fields). 

Lemma 2.1 (The Tonelli-Shanks Algorithm). Let T be a cyclic black box group of 
known global exponent E. Let z be an element in T that has a square root in T. 
Then an element t £ T such that t 2 = z can be found in probabilistic polynomial 
time in log E. 

Proof. We set E = 2 m n where (2 ,n) = 1. Given g £ T, we shall say that l is the 
2 -height of g , if \g n \ = 2 Z ; notice that this is equivalent to 2 l being the largest power 
of 2 that divides the order \g\ of g. 

Let g £ T be an element with maximal 2-height l , that is, the order g is divisible 
by the maximum power of 2 dividing the order of T. Then, clearly, g can not be a 
square in T namely there are no elements y £ T such that y 2 = g. We set 

a := 2 (n+1)/2 , b := z n , c := g n 

and run the loop: 

• Find the smallest positive integer d such that b 2 =1. 

• If d = 0, then return a since z has odd order. 

• If d > 0 then repeat until d = 0: 

ol — d — 1 ol J — d 

Set a := ac , b := be , c := c , l := d. 

• When d = 0, the element a is the desired square root of z. 

□ 

In this paper, we assume that all our black box groups 
satisfy assumptions BB1 BBf or BB1 BB3 and B5. 

We emphasize that we do not assume that black box groups under consideration 
in this paper are given as subgroups of ambient matrix groups; thus our approach 
is wider than the setup of the computational matrix group project [23]. Notice 
that we are not using the Discrete Logarithm Oracles for finite fields F 9 : in our 
setup, we start with a black box group without any access to the field over which 
the group is defined. 

2.4. Black box fields. We define black box fields by analogy with black box 
groups, and the reader may wish to compare our exposition with [6j. We note 
here that, in this paper, we do not necessarily know the characteristic of the held. 
Therefore we slightly generalize the definition of a black box held given in El [23 
by removing the assumption that the characteristic of the held is known. 

A black box (hnite) field K is an oracle or an algorithm operating on 0-1 strings 
of uniform length (input length) which encrypts some hnite held F. The oracle can 
compute x + y, xy and decides whether x = y for any strings x,y £ K. If the 
characteristic p is known, we say that K is a black box field of known characteristic 
p. We refer the reader to El 123 for more details of black box helds of known 
characteristic and their applications to cryptography. 

In this paper, we shall be using some results about the isomorphism problem for 
black box helds of known characteristic p [23, that is, the problem of constructing 
an isomorphism and its inverse between K and an explicitly given hnite held F p »». 
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The explicit data for a finite field of cardinality p n is defined to be a system of 
structure constants over the prime field, that is n 3 elements (cijfc)"j j. =1 °f fh e 
prime field F p = Z/pZ (represented as integers in [0,p — 1]) so that F p n becomes a 
field with ordinary addition and multiplication by elements of F p , and multiplication 
determined by 

n 

^ (-"ij kAk: 

fc= 1 

where Si, .. ., s n denotes a basis of F p n over F p . The concept of an explicitly 
given field of order p n is robust; indeed, Lenstra Jr. has shown in [24j Theorem 1.2] 
that for any two fields A and B of order p n given by two sets of structure constants 
(fc=i and (bijk)i'j fc=i an isomorphism A —> B can be constructed in time 
polynomial in nlogp. 

Maurer and Raub m proved that a construction of an isomorphism and its 
inverse between a black box field K of known characteristic p and an explicitly 
given field F p ™ is reducible in polynomial time to the same problem for the prime 
subfield in K and F p . 

Using our terminology, their proof can be reformulated to yield the following 
result. 

Theorem 2.2. Let K and L be black box fields of known characteristic p encrypting 
the same finite field and Ko, Lo their prime subfield. Then an isomorphism 

K 0 —> L 0 

can be extended in time polynomial in the input length to an isomorphism 

K — >L. 

Obviously, if charK = p and p is known, we can find multiplicative inverses 
easily and therefore we always have an isomorphism F p —Ko- The existence 
of the reverse isomorphism F p < — Ko would follow from solution of the discrete 
logarithm problem in Ko- In particular, this means that, for small primes p , every 
black box field of order p n is effectively isomorphic to F p ™. 


3. Morphisms and protomorphisms 


3.1. Morphisms. Given two black boxes X and Y encrypting finite groups G and 
H , respectively, we say that a map C, which assigns strings from X to strings from 
Y is a morphism of black box groups, if 

• the map £ is computable in probabilistic time polynomial in /(X) and l( Y), 
and 

• there is an abstract homomorphism <j> : G —*■ H such that the following 
diagram is commutative: 

X —^ Y 


7TX 


7T Y 


G 


4> 


H 


where 7Tx and 7 Ty are the canonical projections of X and Y onto G and H , 
respectively. 
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We shall say in this situation that a morphism £ encrypts the homomorphism 
<f>. For example, morphisms arise naturally when a black box group X is given by 
a generating set and we replace a generating set for the black box group X by a 
more convenient one and start sampling the product replacement algorithm for the 
new generating set; in fact, we replace a black box for X and deal with a morphism 
Y —> X from the new black box Y into X. 

Slightly abusing terminology, we say that a morphism £ is an embedding, or an 
epimorphism, etc., if <j> has these properties. In accordance with standard conven¬ 
tions, hooked arrows 


stand for embeddings and double-headed arrows 


for epimorphisms; dotted arrows are reserved for abstract homomorphisms, includ¬ 
ing natural projections 

7TX 

X .- tt(X); 

the latter are not necessarily morphisms, since, by the very nature of black box 
problems, we do not have efficient procedures for constructing the projection of a 
black box onto the (abstract) group it encrypts. 

3.2. Black box subgroups. If we have an embedding of black box groups Y X, 
we shall say that Y is a subgroup of X. 

Black box subgroups will be constructed in this paper in one of the following 
three ways: 

• We generate Y by some strings y \,..., y m G X and use some version of the 
product replacement algorithm m for random sampling. 

• Given black box subgroups Yi,..., Y*. in X, we generate a subgroup Y = 
(Yi,..., Yjt) by taking generating sets in Yi and combining them into a 
generating set in Y. 

• Y is the centralizer in X of an involution or a proto-involution in the 
sense of Section [5~5l when we apply a procedure described in Section I5H1 to 
“populate” Y and eventually find a generating set for Y. 

3.3. Morphisms as black box groups. Observe that a map 



from a group to a group is a homomorphism of groups if and only if its graph 

F = {(9,^>(9)) ■ 9 e G} 

is a subgroup of G x H. 

At this point it becomes useful to introduce direct products of black boxes: if 
X encrypts G and Y encrypts H then the black box X x Y produces pairs of 
strings [x, y) by sampling X and Y independently, with operations carried out 
componentwise in X and Y; of course, X x Y encrypts G x H. 

This allows us to treat a morphism 

C 


X 


Y 
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of black box groups as a black box subgroup ZgXx Y encrypting F: 

Z = {(i,C(x)) : x £ X} 

with the natural projection 


7Tz : Z —y F 

(x,((x)) (nx(x),</>(7T X (x))- 

In practice this means (although in some cases we use a more sophisticated 
construction) that we can find strings x±,... ,x k generating X with known images 
2 /i = £(xi), • ■ • j Vk = C( x fc) i n Y and then use the product replacement algorithm 
to run a black box for the subgroup 

Z = ({xi,yi),..., {x k ,y k )) (XxY 

which is of course exactly the graph { (x, £(x)) } °f the homomorphism £. Random 
sampling of the black box Z returns strings x £ X with their images £(x) £ Y 
already attached. 

3.4. Protomorphisms. Let X and Y be black box groups encrypting groups G 
and H, respectively, and 7r the canonical projection of X x Y onto G x H. A 
protomorphism Z between black box groups X and Y is a black box subgroup 
Z < X x Y such that 7r(Z) is a the graph of a homomorphism from G to H or from 
H to G —the direction of homomorphism is not set here. We say that Z encrypts 
this homomorphism. 

We shall construct new black boxes from the given ones, and in these construc¬ 
tions strings in X will actually be pointers to other black boxes. Therefore it is 
convenient to think of elements of black boxes as other black boxes—the same way 
as in the ZF set theory all objects are sets, with some sets being elements of others. 
A projective plane constructed in Section [G] provides a good example: it could be 
seen as consisting of points and lines, where a “line” is a black box that produces 
random “points” on this line and a “point” is a black box that produces random 
“lines” passing through this point. 

In a black box group X, it is frequently useful to associate with an element 
encrypted by a string x £ X a black box for the graph of a specific homomorphism, 
namely, the conjugation by x, viewed as a subgroup of the direct product X x X, 
the latter provided with group operations and equality relation in the obvious way: 

C x = {(y,y*):yGX}. 

From the computational point of view, treating a homomorphism X — > Y of black 
box groups X and Y as a black box subgroup in their direct product X x Y has 
happened to be an efficient conceptualization of previously inaccessible objects, as 
can be seen, for example, in “reification of involutions”, see Section [3~7l 
Given black box groups Xi,..., X„, we can define their direct product 

X = Xi x • • • x X n 

in an expected way, consecutively sampling strings Xi £ X,; to form a random 71 - 
tuple (xi,... ,x n ) £ X, and carrying out group operations on X component-wise. 
Later in the paper we are using semidirect products of black box groups. They 
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arise in a situation when we have two black box group X and Y and a polynomial 
time in Z(X) and l(Y) procedure for the action of Y on X by automorphisms, 

X x Y —> X 

(x,y) i-A x y - 

then X x Y is defined as the set of pairs X x Y with multiplication 
{xi,yi) o (£ 2 , 1 / 2 ) := (X 1 X 2 1 , ym)- 

3.5. Amalgamation of local proto-involutions. Let X be a black box group 
encrypting a group G. Expanding the terminology from the previous section, a 
proto-involution F on X is a black box subgroup F < X x X for the graph of an 
involutive automorphism of X. 

Assume that black box subgroups Yi,...,Y/- in X encrypting, respectively, 
subgroups Hi,.... in G, and assume that (Hi,..., Hfa = G. Assume that 
<f> 1 ,... ,<pk are involutive automorphisms of subgroups Hi, ..., Hk, respectively, and 
Fi are proto-involutions on Y^ encrypting fa, i = 1,..., k. We say that the system 
of proto-involutions Fi,..., F/. is consistent if, in addition to previous assumptions, 
there exists an automorphism (f> of G such that fa = (f> \Hi for all i = 1 ,... ,k. 

Theorem 3.1 (Amalgamation of local proto-involutions). If Fi,... ,F* is a con¬ 
sistent system of proto-involutions on black box subgroups in X, then 

F = (F 1; ..., Ffc) 

is a proto-involution on X. 

Proof. The proof is self-evident. □ 

We shall call F the amalgam of proto-involutions Fi,..., F*,. 

Theorem 3.2 (Augmentation of a black box group by a proto-involution). If F < 
X x X is a proto-involution on X representing an involutive automorphism <f> on 
G, we can construct an involutive automorphism a of F by setting 

a : (x,x') i-A (x',x) for (x,x') £ F. 

Then the semidirect product F x {1 ,a} is a black box encrypting G x (fa, with F 
canonically projecting onto G. 

Proof. The proof is self-evident. □ 

Theorems 13.11 and 13.21 provide the conceptional frame of construction of a black 
group encrypting SOa(F) from a black box group encrypting PSL 2 (F), see Theo¬ 
rem |4J] 

3.6. Centralizer of a proto-involution. Let F < X x X be a proto-involution 
on X as defined in Section IX5l We shall denote pairs of strings in F as (x, x v ) and 
set 

Cx(^) = O £ x I (x,£) e F}. 

By definition, ip encrypts some involutive automorphism a £ Aut(G) of G. It is easy 
to see that Cx(<p) = 7r _1 (Gc(a)) is the preimage of CfaA) under the projection 
7r : X —> G. 

Assume that X satisfies Axiom BB4 and has a global exponent E = 2 k m with 
m odd. 


BLACK BOX GROUPS PSL 2 (F g ) 


11 


If x G X is an element of even order then the last non-identity element in the 
sequence 

1 X m , 0 T m )\ . . , Or ™) 2 "" 1 , ( X m f = 1 

is an involution and denoted by i(x). 

If x £ X is an element of odd order then the element y = cc ( 7Tl + 1 )/ 2 obviously 
satisfies y 2 = x and is the unique square root of x in (a;); we denote y = y/x. 

It follows from the arguments in mm that we have the map £ = £o U £i: 

Cx(^) 

f ^((XjX^)) = i^^x -1 ) if o(x' p x~ 1 ) is even. 

\ £i((x, x v )) = \Jx^x~ x • x if c^x^x -1 ) is odd 

If X is a simple group of Lie type, then, as shown in [333 , Ci is defined with 
probability 0(1/n) where n is the Lie rank of X. Furthermore, the same calculation 
as in [3 Section 6 ] proves that elements £i((x,x v )) are uniformly distributed over 
Cx.(<p)- Therefore £i provides an efficient black box for Cx(<A Observe that this 
construction still works if Axiom BB4 is replaced by a weaker Axiom BB5. 

The map £o is useful when we are interested mostly in involutions in Cx (</?), as 
it happens, for example, in reification of involutions, see Section [3771 

3.7. Reification of an involution. We approach the most fascinating part of the 
story: identification of an involution in X from its description. We shall call this 
procedure the reification of an involution. 

Following the notation from the previous subsection, assume that F < X x X 
is a proto-involution on X corresponding to an inner automorphism of G, more 
specifically, to conjugation by an involution h £ G. We want to find in X a 
string x that represents h. Obviously, x £ Gx(<^), and Gx(<^) can be constructed 
as described in the previous subsection. Denote Yi = Gx(<^) and observe that 
x £ Z( Yi). Find in Yj an involution y\ and compute Y 2 = CY 1 (yi), and so on. 

If G is a simple group of Lie type of odd characteristic and of Lie rank n , the 
length of chains of centralizers is bounded by a polynomial in its Lie rank (and in any 
case their centralizer chains are not longer than chains of subgroups in G), giving 
a crude upper bound of log |G|. Also, elements of even order (hence involutions) in 
Lie groups of odd characteristic are abundant by [2l] . Therefore in this particular 
situation the process quickly produces a subgroup Y; which contains x and has the 
property that all involutions in Y/ belong to Z(Yi) and therefore (taken together 
with the identity element) form an elementary abelian 2-subgroup Z. Since x £ Z, 
it can be identified in Z by testing every possibility. These crude estimates show 
that the reification procedure works in probabilistic time polynomial in |Z| and 
logFl, where E is the global exponent of X. 

In this paper, reification of involutions is applied to SOs(F) in odd characteristic, 
where proper centralizers are abelian or dihedral, and where Z is at most of order 
4, making the implementation of the procedure pretty fast. 

More generally, if G is a simple group of Lie type and odd characteristic, then 
the computation of Z(C-x_(tp)) can be done in time polynomial in log E only by 
the technique of the analysis of centralizers of involutions developed in [ 8 1 LU 38] ; 
details of the enhanced procedure will be published elsewhere, they are not needed 
in this paper. 


C : F 

(x,^) 
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3.8. Involutions in PSL 2 ( 2 "). Let X be a black box group encrypting PSL 2 ( 2 n ) 
for some n ^ 2. A paper by Kantor and Kassabov [22] contains a construction of an 
involution in X, a result analogous to the results in this paper. We shall now show 
how involutions in PSL 2 ( 2 n ) can be most naturally constructed by our methods. 

• Take in X two non-commuting elements yi and yi of odd orders > 3 (for 
large n, any two random elements would go with probability pretty close 
to 1 ) and generate Yi = ( y \) and Y 2 = ( 2 / 2 ) - 

• Generate the black box subgroup Y = (Yi,Y 2 ) and observe that it is 
isomorphic to PSL 2 ( 2 m ) for some m > 3. 

• It is a well-known property of subgroups PSL 2 ( 2 m ) that Yi and Y 2 are 
inverted by some involution x £ Y. Hence we have two consistent proto¬ 
involutions Fi and F 2 describing automorphisms y 1 —> y _1 of Yi, Y 2 , 
respectively. 

• Form the amalgam F = (F!,F 2 ); and proto-involution p is the action by 
conjugation by x. 

• The centralizer C'x(^) is a Sylow 2-subgroup containing x. 

4. Construction of S0 3 from PSL 2 

It will become clear later in this paper that black box groups PGL 2 = SO 3 are 
more open to analysis than SL 2 or PSL 2 . Therefore, extending a black box group 
encrypting PSL 2 (F) to a black box group encrypting S0 3 (F) is important and it 
results from amalgamation of proto-involutions, Theorem l3.ll and augmentation of 
a black box group by a proto-involution, Theorem 13.21 

Theorem 4.1. Let'Y be a black box group encrypting a group G = PSL 2 (F), where 
F is a finite field of unknown odd characteristic. Then, with a given exponent E 
for Y, there is a polynomial time in log E algorithm which constructs an external 
automorphism S of Y that encrypts a diagonal type automorphism d of G of order 
2 so that the semidirect product X = Y x (6) encrypts G x (d) ~ S0 3 (F). 

Proof. We recall from the table of the centralizers of involutions in [19] Table 4.5.1] 
that G has one conjugacy class of external involutive diagonal automorphisms. Let 
d be its representative, then Cc(d) = S x (w) where S' is a torus of order (q — l)/2 
or ( q + l)/2 depending on q = —1 mod 4 or q = 1 mod 4, respectively, and w is 
an involution inverting S. Observe that the order of the torus S is odd. Take an 
involution t £ Co(d) inverting S and assume that t is contained in some maximal 
torus T. By Frattini argument, G ■ Nq^(T) = G(d) and we can assume without 
loss of generality that d normalizes T. 

Notice that (T, S) = G and d centralizes S and inverts every element in T. 
Therefore we can apply amalgamation and augmentation of proto-involutions by 
using Theorem 13.II and Theorem 13.21 

Construction of tori T and S in Y with these properties goes as follows. We 
construct an involution u £ Y and its centralizer C := Cy(m). Note that C = 
T x ( w } for some torus T of even order containing the involution u. Now we find 
a random element y € Y such that the element z := uu v has odd order and set 
S := (z). Since w is an involution inverting T, by [281 1.8], a random element in 
C is a generator of T with probability 0(1/log log |F|). Moreover, by the similar 
arguments, the element z is also a generator of some maximal torus S of odd order 
with probability 0(1/log log |F|). 
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Hence as soon as we have such tori T and S in Y, the amalgam 8 of local 
proto-involutions 

a : T —> T, s4s 
/3 : S -A S, si-a s” 1 

is a proto-involution of Y encrypting the external involutive diagonal automorphism 
d of G, see Theorem 13.II All we need is to augment Y by <5, see Theorem l3.2l □ 

4.1. Reification of involutions in S();i(F). Reification of proto-involutions, as 
desribed in Section 13.71 is the most important procedure involved in our construc¬ 
tion of unipotent elements in SOa(F) and in the proof of Theorem II.31 

Theorem 4.2. Let X be a black box group encrypting SOa(F), where F is a finite 
field of unknown odd characteristic and F > 9. Let s,t £ X be two distinct involu¬ 
tions such that st is not a unipotent element. Then, with a given exponent E for 
X, there is an algorithm which runs in time polynomial in log E constructing the 
involution j commuting with s and t. 

For two distinct involutions s,f £ X, we denote the only involution in X that 
commutes with both s and t (if such involution exists) as j(s, t). 

Proof. Notice first of all that, due to basic properties of groups SC> 3 (F), the invo¬ 
lution j commuting with s and t exists and unique in Aut(SOa(F)) = SC> 3 (F). 

We set ^ := st. Observe first that since z is not a unipotent element, the 
involution j commuting with both s and t exists. If the order of z is even, then 
j is the unique involution in (z) which can be computed by square-and-multiply 
method. If z has odd order, then observe that j centralizes Z = (z) and inverts every 
clement in the torus T, containing s; construction of T s is similar to construction 
of tori in the proof of Theorem 14.11 Since the order of z is odd, we have |Z| > 3 
and so X = (T s , Z). 

Now the involution j can be found by amalgamating local proto-involutions 

x i-4- x~ x on T s 
x i —y x on Z 

and reifying the result. The last step can be run very efficiently due to the fact that, 
in G = SC> 3 (F) where F is a finite field of odd characteristic |F| > 9, involutions 
r € G have the property that Z(Co{r)) = (r), see details in Section ET71 □ 

5. Geometry of involutions in PGL 2 (F) ~ S0 3 (F) 

Let G ~ PGL 2 (F) ~ SC> 3 (F), where F is a finite field of odd characteristic p. 
This is the most basic of all groups of Lie type, and for that reason it is very tightly 
built in the black box setting. We shall see that actions of involutions from G 
control properties of every facet of the structure of the group and its Lie algebra. 
Involutions are multifunctional: they act as pointers to tori in the group G, to 
toric subalgebras in the Lie algebra [ = Lie(G) of G, to points and to lines in the 
projective plane associated with [ as F-vector space, and they control the polarity 
in this plane. 
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5.1. Involutions. The Lie algebra ( = sl 2 is a vector space of 2 x 2 matrices of 
trace 0 with the Lie bracket [A, B] = AB — BA. The isomorphism PGL 2 (F) ~ 
SOs(F) comes from the adjoint action of PGL 2 (F) on its Lie algebra s[ 2 , that is, 
action by conjugation on sl 2 . In this action, the group PGL 2 becomes the group of 
automorphisms of ( = sl 2 and therefore preserves the Killing form K on [, 

K(a, /?) = Tr (ad(ct) • ad(/?)); 

moreover, it coincides with the orthogonal group S 03 ([, K ) since K is a symmetric 
bilinear form. 

We denote by [ the 3-dimensional F-vector space of the canonical representation 
of G = SC> 3 (F). The vectors in ( will be denoted by low case Greek letters. 

Note that a vector a £ l is semisimplc in the Lie algebra sense if and only if 
K(a, a) ^ 0 and nilpotent if and only if K(a,<j) = 0. 

Every semisimple element a in 1 gives rise to an involution in G, the half-turn 
s(j around the one-dimensional space generated by cr: 

2K(a,a) 

Sa ■ a ——- -a - a. 

K(a, a) 

Observe that the half-turn s a is not changed if we replace a by a non-zero scalar 
multiple ca. 

Moreover, every involution in G is a half-turn. Indeed, in its adjoint action on [, 
every involution s from G has eigenvalues +1, —1, —1. If a is an eigenvector for s 
for the eigenvalue +1 then obviously s = s CT . Denote the +l-eigenspace (the axis of 
the half-turn) s as t s . Obviously, t s is a 1-dimensional non-isotropic subspace of t 
and thus a toric subalgebra of [. If T s is a torus in G containing s then t s = Lie(T s ), 
the Lie algebra of T s . 

Therefore the set 3 of involutions in G is in one-to-one correspondence with the 
set of regular points of the projective plane fp = fp([) (that is, images in tp of 
semisimple elements of [). 

5.2. Lines. Notice that every 1-dimensional subspace a in [ is a Lie subalgebra of l 
and coincides with the Lie algebra Lie(Al) of some 1-dinrensional algebraic subgroup 
A < G. Assuming that |F| = q , the latter belongs to one of the three conjugacy 
classes: 

• split tori: cyclic subgroups of order q — 1 , 

• non-split tori: cyclic subgroups of order <7 + 1 , 

• maximal unipotent subgroups of order q , 

see the beautiful paper by Boris Weisfciler m- 

Therefore the set 22J of 1 -dimensional algebraic subgroups A in G is in one-to-one 
correspondence 

A -o- Lie(A) 

with the set of points of the projective plane fp. We shall call 2H the Weisfeiler 
plane. 

It will be convenient to identify 2U with the dual plane *P* of and treat elements 
of 2U as lines of *p. For that we need to describe the incidence relation, that is, the 
sets of points belonging to a line. There will be two kinds of points: 

• involutive (or toric , or semisimple , or regular ), and 

• unipotent (or parabolic, or tangent). 
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The set of all involutive points in is simply the set of all involutions in G. If 
A is 1-dimensional subgroup in G , the line 1(A) associated with it contains all 
involutions inverting A ; if w is one of these involutions, then 1(A) coincides with 
the coset Aw. 

The key to our analysis is the following simple observation which is the basis of 
projective metric geometry in the sense of Bachmann [5]. 

Fact 5.1. Involutions r,s,t £ 3 are collinear in tp if and only if rst € 3. 

5.3. 3 as a finite symmetric space. Now we shall study the action of 3 on itself 
by conjugation. 

For s, t e 3, denote 

s o t = t s . 

This is a non-associative binary operation satisfying identities: 

SD1 s o s = s 

SD2 so [sot) = t 

SD3 r o (s o t) — (r o s) o (r o t) 

Loos [25] introduced these identities for algebraic axiomatization of symmetric 
spaces; axiom SD3 is called the left self-distributivity , see Dehornoy [16] . The 
involutary plane 3 with the conjugation operation o is a finite field analogue of the 
real hyperbolic (Lobachevsky) plane viewed as a symmetric space; we shall refer to 
its geometry as Lobachevsky geometry. 

5.4. Harmonic conjugation. The following two simple observations will be useful 
in the analysis of our constructions. 

Lemma 5.2. Involutions s, t and so t = t s are collinear. 

Proof. This immediately follows from Fact 15.11 since 

s ■ t s ■ t = s ■ sts ■ t = tst = s 1 

is an involution. □ 

Lemma 5.3. Let s and t be two distinct commuting involutions in 3, and assume 
that r G 3 has the property that s r = t. Then 

(a) r = sh^ 1 where li ±1 are two square roots of st in T st ; 

(b) the points r\ = sh and r 2 = s/i _1 are harmonic conjugate with respect to s 
and t. 

Proof, (a) The subgroup (r, s, t) is dihedral of order 8 and it lies in the dihedral 
group C G (st) = T s t x (r), where the statement becomes obvious. 

(b) Conjugation by s is a projective collineation of *P; it centralizes s and t and 
swaps ri and r 2 which means that ri and r 2 are harmonic conjugate with respect 
to s and t. □ 

5.5. Missing points in 3. Different lines in 3 contain different number of points. 
If A is of order q — 1, the coset Aw contains q — 1 involutions, while every line in 

a projective plane contains q + 1 points. The missing points are maximal unipotent 
subgroups of G treated as points of tp; the line associated with a 1-dimensional 
subgroup A contains the point associated with the maximal unipotent subgroup U 
if and only if A normalizes JJ. We know that every split torus normalizes exactly two 
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maximal unipotent subgroup, which adds the two missing points to the associated 
line. 

If \A 1 = q, A is a maximal unipotent subgroup and therefore normalizes itself, 
which adds the missing point to its line £{A). 

Finally, if |A| = q + 1, then A is a non-split torus and therefore normalizes no 
unipotent subgroups; all q + 1 points in the associated line £(A) are involutive. 

5.6. Quadric. There is another way to map (partially) 22J to assign to each 
torus T < G the only involution i(T) contained in T. Reversing this map, we assign 
to each involution s £ 3 the torus T s £ 2U which contains s and identify s with the 
Lie subalgebra t s = Lie(T s ) seen as a point in 

If U £ 2U is a maximal unipotent subgroup in G then its Lie algebra u = Li e(U) 
is a singular point in and belongs to the quadric Lj in ip given by the equation 
K(v, v) — 0 in terms of the Killing form K (-, •) on [. Notice that 

0 = <P 

so the quadric Q is the missing (that is, not represented by involutions) part of the 
projective plane ip. We find ourselves in the axiomatic set-up of projective metric 
geometry in terms of groups and involutions as it was developed by Bachmann 
0 and his school, especially by Schroder [84] . The following result is the apex of 
projective metric geometry. 

Fact 5.4. (Schroder [84] ) Let T be a projective plane and let LI be a set of points 
that contains at most two points of any line of T. Assume further that the points 
in T y LI are in a one-to-one correspondence with the set H of involutions of some 
group G in such a way that any three involutions i,j,k £ I correspond to collinear 
points in T \ LI if and only if their product ijk £ I. Then there exist a field K and 
a quadratic form Q on the 2-dimensional vector space K 3 such that T = ¥ 2 (K) and 
LI is the quadric in P 2 {K) given by the equation Q(x) = 0. 

As we can see, the configuration that we are in is well understood in the abstract 
group theory; our task is to analyse it using black box group theory methods. Our 
principal difficulty is that when we look at the configuration where tp, 3, Q are 
playing the roles of T, I, and O, respectively, the quadric 0 is invisible. Indeed, 
the probability for a random element from G to be unipotent, or for two random 
involutions from G to produce a unipotent element as their product is 0(1/|F|)— 
that is, astronomically small for a large field F. But, as we shall soon see, although 
we do not have in our possession the quadric Q yet, we have the associated polarity. 

5.7. Polarity. The key geometric property of half-turns is that two distinct invo¬ 
lutions s cr and s T commute if and only if er and r are orthogonal to each other, that 
is, K(cr, t) = 0, and even more so, 

K(t a ,it) = 0. 

We say that points x, y € fp are perpendicular to each other if they represent 
1-dimensional subspaces in l which are orthogonal to each other; we shall denote 
this by x 1 y. The polar image 7r(x) of a point x E fp is defined as 

tt(x) = {y \ x ± y}. 

It is a straight line in ip. Observe further that x £ is a toric point if and only if 
x $ 7r(x) and is a unipotent point if and only if x € tt(x). 
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Now, we shall describe tt(U) for a unipotent point U seen as a maximal unipotent 
subgroup. A torus t < 1 normalizes a nilpotent subalgebra u < 1 if and only if 
b = t©u is a Borel subalgebra in l. Since u is the nilpotent radical of b, the Killing 
form restricted to b degenerates on u, which means that b 1 u; but this could 
happen if and only if t _L u. Therefore, in terms of the Weisfeiler plane 2U, 

ir(U) = {17}U{TG2If|T is a torus and normalizes U }. 

For an involution t £ 3, we denote w(t) = ir(t) D 3. Then we have 

w(t) = { x £ 3 | [x, t] = 1 and x ^ t }. 

Observe that vo(t) = Tw for some involution w, that is, the coset of T = T t 
consisting of involutions inverting T. 

Similarly, for a unipotent point U, we have 

w(U ) = { x € 3 | x inverts U }. 

Depending on the nature of the point t £ ‘P, 

w[t) = 7r(f) \ (7r(t) n Q) 

lacks 0, 1 or 2 points of intersection of the straight line 7r(t) with the quadric Q 
and contains, respectively, q + 1, q, or q — 1 points. These three types of lines are 
called elliptic, parabolic, and hyperbolic, respectively. 

The parabolic lines are tangent lines to 0, that is, lines having exactly one point 
with Q in common. In 3, a parabolic line appears as the coset Ut of a maximal 
unipotent subgroup U in G with respect to an involution t inverting every element 
in U. 


6 . The black box projective plane 

Let X be a black box group encrypting PGL 2 (F) ~ SOa(F) where F is a finite 
held of odd characteristic. 

Using the black box X as a computational engine, we shall construct a black box 
that encrypts the projective plane abusing notation, we shall denote it by the 
same letter Abusing notation again, we use the symbol 3 to denote the set of 
involutions in X and view 3 as a subset of 

The elements or objects of points and lines, are pointers to certain black 
boxes which will be described now. 

6.1. Points. There are two types of points in fP; regular and parabolic. 

A regular point is a pointer to a triple 

(s,T s ,ro(s)) 

where s £ 3 is an involution, a T s is its torus, that is, the cyclic subgroup of index 
2 in Cx(s), and 

zu(s) = T s w = 7r(s) D 3 

is the set of regular points in the polar line 7r(s), where w € Cx(s) is an involution 
inverting T s . 

A parabolic point is the same as a parabolic line as defined below. 
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6.2. Lines. There are two types of lines in toric and parabolic. 

A parabolic line u is a pointer to a black box for a subgroup U xi (t) where U < X 
encrypts a maximal unipotent subgroup U < G and t £ X encrypts an involution 
inverting every element in U. The line u is incident to two kinds of points: 

• q regular points, involutions in the coset Ut; and 

• u itself, seen as a point. 

A toric or regular line 1 is a black box for a subgroup T x (w) where T < X 
encrypts a torus T in G and in £ X encrypts an involution that inverts every 
element in T. A toric line is incident to the following points: 

• If |T| = q+ 1 then 1 is incident only to points represented by involutions in 
the coset Tin; 

• If |T| = q — 1 then 1 is incident to q — 1 points represented by involutions 
in the coset Tin and, in addition, two parabolic points which will be con¬ 
structed later but in abstract terms correspond to two maximal unipotent 
subgroups normalized by T. 

6.3. Serendipity construction of parabolic lines. It happens very rarely that 
a line through two random regular points s and t is parabolic; the probability of this 
event behaves asymptotically as 0(1/|F|) and becomes astronomically small for a 
large held F. However if it happens by a sheer strike of luck, we get a unipotent 
element u = st and a black box for the parabolic subgroup 

B = (u Ts ) x T s , 

its maximal unipotent subgroup 

U = <n T ‘), 

and the set Us of regular points in the parabolic line. We shall say in this occasion 
that we constructed a parabolic line 

u = sVt 

as the joint of regular points s and t. 

6.4. A line through two regular points. For two distinct involutions s,t £ 3, 
define j(s, t ) as the only involution in 3 that commutes with both s and t. 

If j(s,f) does not exist for some s,f £ 1J then u = st is an unipotent element and 

s V t = (u 1 ”) x ( t ) 
is a parabolic line through s and t. 

If j(s,t) exists then the regular part of the line sVf through s and t can be 
computed as 

(s V t) fl 3 = ru (j(s , t )). 

Therefore computing j(s, t) attains critical importance for our algorithms. This is 
easy when st is of even order, in that case j(s,t) is defined as the only involution 
in the cyclic group (st). If R = (st) is of odd order, we do not immediately have 
j = j(s,f) but we know that its action on X is uniquely defined by the following 
conditions: 

• j centralizes R; and 

• j inverts every element in the torus T = T t . 
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As a consequence, we can draw a line x \J y through any two distinct points 
i,!/ £ 3; this is a black box which produces, among other useful goods, the following 
sets of involutions: 


[ ^(j (x,y)) if \xy\^p 

x V y = < 

\ {{xy) Tx )-x if \xy\=p 

6.5. Intersection of two lines. We use again reification of involutions for finding 
intersection k A 1 of any two non-parabolic lines k and 1: 

_ f the common point of k and 1, if this point belongs to 3; 

1 otherwise, the tangent line through the common parabolic point of k and 1. 

Indeed if the lines k and 1 contain a common involution w then their involutive 
parts k fl 3 and 1 fl 3 are 

k fl 3 = R w 
In 3 = S w 

for tori 

R = {y|*,jekn3} 
s = {u'Kjein3} 

inverted by w. Obviously, w can be reified from these conditions. 

If the lines k and 1 have no involution in common, then they intersect in a 
parabolic point and we find ourselves in a serendipity situation: this event is ex¬ 
ceedingly rare and manifests itself in 7r(k) V 7r(l) being a parabolic line (and we 
identify parabolic lines with their tangent points on the quadric): 

k A 1 = 7r(k) V 7r(l). 


6.6. Polar projection. If s is a regular point, then s is not incident to its polar 
line 7r(s). If x ^ s is another point, the line sVx is different from 7r(s), and therefore 
the lines s V x and 7r(s) have a unique common point 

x' = ir(x) A(sVi). 

We shall denote the map defined by the rule 

x 7r(x) A (s V x) 


by 


X £ s (x). 


This map is nothing more but the central projection with the center s onto 7r(s). We 
shall call it the polar projection with center s or polar projection on the (regular) 
line 1 = 7r(s). When s is chosen to be a point at infinity, £ s can be seen as the 
orthogonal projection of an affine part of onto 1 = 7r(s). It is easy to check that 
the following two formulae for are equivalent: 


£ s (x) = 7r(x) A (s V x) 

= j(j(a:,s),s). 
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6.7. Bisection of angles. 

Lemma 6.1. LeiX be a black box group encrypting SC> 3 (F), where ¥ is a finite field 
of unknown odd characteristic. Assume that i,j E X be two conjugate involutions. 
Then, given an exponent E for X, we can find an involution x £ X such that i x = j 
in time polynomial in log E. 


Proof. We set E = 2 m n where (2 ,n) = 1, and set z = ij. If the order of z is odd, 
that is, z n = 1, then notice that js (7l+1)/2 = j Nc>w, z^ n+1 ^ 2 j is an involution 
conjugating i to j. 

Assume now that the order of z is even and k is the involution in (z), which is 
obtained by repeated square-and-multiply method applied to the element z n ^ 1. 
We denote by Y the subgroup in X encrypting PSL 2 (F); it is well-known that 
|X : Y| = 2 and Y < X. Let T be the maximal torus in X containing k and 
T 2 = {t 2 | t 6 T}, then T 2 is the subgroup of index 2 in T and T 2 = T fl Y. 
observe that z = ij £ T 2 because i and j, being conjugate, simultaneously belong 
or do not belong to Y. 

We can now apply the Tonelli-Shanks Lemma 12.11 and find t £ T such that 
t 2 = z; after that we have 

i tJ = = jt~ 1 jjitj = tjitj = t 2 jij = j. 


□ 


Lemma 6.2. Let X be a black box group encrypting S 03 (F), where F is a finite 
field of unknown odd characteristic. Then, with a given exponent E for X, we can 
represent arbitrary element x £ X of order \x\ > 2 as a product of two involutions 
from X in time polynomial in log E. 

Proof. This is another application of reification of involutions. Take an arbitrary 
semisimple element y £ X and reify the involution r that inverts x and y. This 
works in the same way as in the construction of the intersection of the non-parabolic 
lines. If we end up with a serendipitous discovery of a unipotent element, we need 
to repeat reification with other choice of y. When we have the involution r, we can 
decompose 

x = r ■ rx. 

□ 


7. Toolbox for constructions in the Lobachevsky plane 

By restricting all our constructions to 3, we can treat 3 as a structure on its 
own, a black box Lobachevsky plane. It is a black box that 

(a) produces uniformly distributed points from 3; 

(b) checks the equality of points; 

(c) checks collinearity of triples of points; 

(d) for any two points s,t £ 3, computes the half turn of t around s, which we 
denote by so f; 

(e) for any involution t £ 3, produces uniformly distributed regular points in 
the polar image of t: 

w(t) = {s £ 3 \ s ot = t and s/f}; 

(f) for any two distinct points s,t £ 3, produces uniformly distributed regular 
points on the line s V t through s and t; 
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(g) for a regular line 1 given by its two distinct points s and t, constructs its 
pole vj(\) (uniquely determined by condition m(zu(\)) = 1 ) as nj(l) = j(s, f); 

(h) for any two distinct lines k and 1, finds its intersection point kA 1 or, if the 
lines k and i do not intersect in 3 and therefore their intersection point z 
belongs to Q, computes the tangent line 

ro(k) V w{\) 

to Q at the point z\ 

(i) for a point s € 3, computes the polar projection 

: 3 \ { s } —» 7r(s) 

x j(j(x,s),s); 

(j) for any two points s,t G 3 conjugate under the action of X, finds r € 3 
such that r o s = t (Lemma I 6 .il) ; 

(k) represents any element of X as a product of two involutions from X lLemma l6.2l) . 
The key point is that operations (g), (h), and (i) may serendipitously fail; of course, 
this happens with asymptotically small probability 0(1/|F|), but still, in theory it 
may happen. In this case, we accidentally leave 3 and find a nontrivial unipotent 
clement u G X. In our next paper [9] we explain what to do with it; in this paper, 

we can simply ignore it either by re-doing calculation from the beginning, or by 
extending our calculations to the whole plane fp. 

However, in Section [10] we show how to enforce serendipity by directing calcula¬ 
tions towards a unipotent element in X. 

8 . Construction of Sym 4 

The fundamental procedure in the coordinatization of < p is to construct a black 
box subgroup encrypting Sym 4 in a black box group encrypting SO 3 over some 
finite field of odd characteristic. As we shall see, a Sym 4 subgroup provides us with 
a convenient basis triangle in *p. Therefore, we first prove the following theorem. 

Theorem 8.1. Let X be a black box group encrypting SC> 3 (F), where F is a fi¬ 
nite field of unknown odd characteristic. Then, with a given exponent E for X, 
there is an algorithm constructing a subgroup encrypting Sym 4 which runs in time 
polynomial in log E. 

Let G = S0 3 (F), where F is a finite field of odd characteristic. It is well-known 
that G has two conjugacy classes of involutions. We say that an involution is of +- 
type if the order of its centralizer is 2(q — 1) and —type if the order of its centralizer 
is 2(g +1). Notice that Cg(*) = T xi (w) where T is a torus of order (q± 1) and w is 
an involution inverting T. We will consider the involutions of +-type if q = 1 mod 4 
and —type if q = —1 mod 4 so that the order of the torus T is always divisible by 
4; we call them involutions of right type. 

We set 5-tuple 

(' i,j,x,s,T ) 

where i £ G is an involution of right type, T < G is the torus in Cc{i), j £ G is an 
involution of right type which inverts T, x € G is an element of order 3 normalizing 
(i,j) and s £ T is an element of order 4. We also set k = ij and note that k is also 
of right type. Clearly ( i,j,x) = Alt 4 and ( i,j,x,s) = Sym 4 . 
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The crucial part of the algorithm in the construction of Sym 4 in X encrypting 
SC> 3 (F) is the construction of an element i£Xof order 3 permuting some mutually 
commuting involutions i,j, k £ X of right type. The following lemma provides 
explicit construction of such an element. 

Lemma 8.2. Let G = SC> 3 (F), where F is a finite field of odd characteristic. 
Let i,j,k £ G be mutually commuting involutions of right type and g £ G be an 

m l+ 1 

arbitrary element. Assume that hi = ij 9 has odd order m\ and set n\ = h x 2 

_! rn 2 + l 

and s = k 9n i . Assume also that h 2 = js has odd order m 2 and set n 2 = h 2 2 . 

Then the element x = gn^nf 1 permutes i,j, k and x has order 3. 

Proof. Observe first that i Ul = j 9 and j 77-2 = s. Then, since s = k gn 1 , we have 
jn 2 _ j c gn 1 _ Hence j = k 9 ™ 1 ™ 2 = k x . Now, we prove that j x = i. Since 

j gn 1 = i, we have j x = j gUl ™ 2 = i™ 2 . We claim that h 2 £ Cg(*), which implies 
that n 2 £ Cc(i ), so j x = i" 2 = i. Now, since j £ Ca(i), h 2 = js £ Ca(i) if 

and only if s = k gn 1 £ Cc(i)- Moreover, since i ni = j 9 , s £ Cc(i ) if and only if 

k 9 £ Ccij 9 ), equivalently, k £ Cc(j) and the claim follows. It is now clear that 
i x = k since ij = fc, and x has order 3. □ 

Lemma 8.3. Let G, i,j,k,h\ and h 2 be as in Lemma IQ Then the probability 
that hi and h 2 have odd orders is bounded from below by i — ^jjy • 

Proof. We first note that the subgroup (i,x) = Alt 4 is a subgroup of L < G where 
L = PSL 2 (F), so the involutions i,j,k belong to a normal subgroup isomorphic 
to PSL 2 (F). Therefore it is enough to compute the estimate in H = PSL 2 (F). 
Notice that all involutions in H are conjugate. Therefore the probability that hi 
and h 2 have odd orders is the same as the probability of the product of two random 
involutions from H to be of odd order. 

We set |F| = q and we denote by a one of these numbers (q ± l)/2 which is odd 
and by b the other one. Then \H\ = q(q 2 — l)/2 = 2 abq and |C^(i)| = 2 b for any 
involution i £ H. Hence the total number of involutions is 

\H\ 2 abq 

Wj)\ = ~2b~ = aq ' 

Now we compute the number of pairs of involutions (i, j) such that their product 
ij belongs to a torus of order a. Let T be a torus of order a. Then Nh{T ) 
is a dihedral group of order 2a. Therefore the involutions in Njj(T ) form the 
coset Nh(T)\T since a is odd. Hence, for every torus of order a, we have a 2 
pairs of involutions whose product belong to T. The number of tori of order a is 
\H\/\Nh(T)\ = 2abq/2a = bq. Hence, there are bqa 2 pairs of involutions whose 
product belong to a torus of order a. Thus the desired probability is 

bqa 2 b q — 1 1 1 
(aq) 2 q ^ 2q 2 2q 

□ 

Proof of Theorem \8.1\ Let E = 2 m n where (2, n) = 1. We first construct an invo¬ 
lution i £ X of right type and an element s £ Cx(«) of order 4. Let i £ X be an 
involution constructed from a random element by taking its power using square- 
and-multiply method. To check whether i is an involution of right type or not, we 
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search for an element s G C := Cx(*) of order 4. Note that a random element 
from C can be constructed efficiently by the method described in mm together 
with the results in [333 ■ If * is of right type, then C contains elements of order 4. 
Since C = T x (w) where T is a torus of order q ± 1 and w is an involution which 
inverts T, a random element from C has order divisible by 4 with probability at 
least 1/4. As soon as we find an element h G C such that h n ^ 1 and h 2n ^ 1, 
then we construct an element s G (h) of order 4 by repeated square-and-multiple 
method. If we can not find an element of order 4 in C, we deduce that i is not of 
right type and we start from the beginning. 

Let i G X be a right type involution. The coset Tw of T in C consists of the 
involutions inverting T, so half of the elements of C are the involutions inverting 
T and half of the involutions in Tw are of the same type as i. We construct an 
involution j G C and check whether j is an involution of right type by following 
the same arguments above. 

Finally, for commuting right type involutions i,j G X, we construct an element 
x of order 3 normalizing (*, j) by using Lemma 18.21 The probability of constructing 
such an element x € X is at least \ — ^jyy by Lemma l8Al Hence (s,x) is a black 
box subgroup encrypting Sym 4 . □ 

9. COORDINATIZATION 

All we need now is to carry out Hilbert’s coordinatization of fp [20] using our 
toolbox from Section [3 Then the action of X on 3 by conjugation will give us a 
morphism 

x^so 3 (K) 

for some black box field K that encrypts a finite field F of odd characteristic. 

9.1. The spinor basis. A construction from Section [8] yields a subgroup H ~ 
Sym 4 and all its 24 elements as concrete strings in X, and we shall need to intro¬ 
duce special notation for most of these elements, they will play the central role in 
later calculations. The symbol H is chosen to emphasize that the group H ~ Sym 4 
controls the quaternionic structure on [ as well as cross-ratio and harmonic conju¬ 
gation on fp. 

We denote the three involutions in the 4-group E = 02 (H) by ei,e 2 ,e 3 . If 
ti, t 2 , t 3 are their centralizers in l, we know that they are orthogonal to each other 
and 

I = ti ® t2 © 13 

is the weight decomposition for the action of E on 1 and is therefore a grading of (: 
[ti,ta] = t3, [t 2 ,t 3 ] = ti, [t 3 ,ti]=t 2 . 

Moreover, an element 6 of order 3 from H cyclically permutes ti, 12, ts, which allows 
us to select a basis in [ made of 

ei £ ti, 62 = €1 G 12 , and £3 = e® £ i 3 . 

Since E lies in the commutator of H, the involutions e* G E have spinor norm 1 
and therefore vectors ti can be chosen to satisfy 

K(e i ,e i ) = l 

forming an orthonormal basis in l, 

K ( 6 i, 6 j) = Sij. 
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In particular, the quadric Q in fp can be written by the equation 

2 i 2 i 2 _ /y 

jq ~t~ X2 T X3 — 0 


in the coordinates aq, x 2 , X 3 associated with the basis ei, £ 2 , e 3 . 

In addition, the basis £i, £ 2 , £3 seen as a basis of Lie algebra l obviously satisfies 
the Lie relations 


[ £ i> £2] — 0£3) [^2; £3] at \, [£3, £1] — ae 2, 


for some fixed a £ F*. What we found is an analogue of a spinor basis (or Pauli 
basis) from quantum mechanics and will be discussed in detail elsewhere. 


9.2. First steps towards the coordinatization of fp. We know that ei,£ 2,£3 
form an orthonormal basis in l and ei, e 2 , e 3 have homogeneous coordinates 

( 1 , 0 , 0 ), ( 0 , 1 , 0 ), ( 0 , 0 , 1 ); 

and the quadric O is given in coordinates aq, aq, X 3 associated with this basis by 
the equation 

x\ + x\ + x\ = 0. 

Following traditional notation, we represent lines in by equations of the form 


Xix\ + X 2 x 2 + X 3 X 3 = 0 


and treat the tuple [Xi, X 2 , X^\ as the homogeneous coordinates of the line. 

We shall now construct a black box field K. Towards this end, let us take for 
the extended field KU { 00 } the set of points on the coordinate line ei V e 3 assigning 
the coordinate X\ = 0 to e 3 and x\ = 00 to ei. 

Taking into account that the coordinatization of *p has to be consistent with the 
action of X, and, in particular, with the action of H on the basis ei, e 2 , e 3 , we see 
that if we take the line ei V e 2 for the line at infinity, we have the following: 


e 2 = (0, 00 ,1) 



e 3 = (0,0,1) ei = ( 00 ,0,1) 


And this is the same picture in homogeneous coordinates: 
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es = (0,0,1) (l,0,0) = ei 


We shall gradually assign coordinates to more and more points in tp, at every 
step ensuring that the coordinatization is consistent with the action of X on 3 and 
tp and hence with the vector space structure on l. If a point x £ tp has coordinates 
Xi,X 2 ,X 3 , we shall write 


X = (X!,X2,X 3 ) 

and similarly denote lines by their coordinates, 


£ — [Xi,X2, X 3 ] 


which denote the line 


£ = { (X!,X 2 , x 3 ) | XiX\ + X 2 x 2 + X 3 x 3 = 0 }. 

We note that (xi,X 2 ,x 3 ) and [X 3: X 2 , X 3 ] are homogeneous coordinates, they are 
defined up to multiplication by a non-zero scalar. 

Observe that polarity has a very simple meaning in terms of homogeneous coor¬ 
dinates associated with an orthonormal basis: 

tt((xi,x 2 ,x 3 )) = [X 1 ,X 2 ,X 3 \ if and only if Xi = x lt X 2 = x 2 , X 3 = x 3 . 

In particular, polar images of the base points e t have equations Xi = 0, i = 1, 2,3, 
and homogeneous coordinates 

^(d) = [1,0,0], 7r(e 2 ) = [0,1,0], 7r(e 3 ) = [0,0,1]. 

When restricted to 3, the polar image of a point s € 3, 

m(s) = T s w, 

is a coset of the torus T s containing s in the centralizer Cx(s) = T s x (w) where 
w is an involution inverting T s . Therefore they can be easily computed by the 
Altseimer-Bray algorithm mm- 

So we have, in the black box setup, the following picture. 
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ea = (0,1,0) 


e 3 = (0,0,1) 


[0,1,0] (l,0,0) = ei 


We shall soon add new points to this picture. 


9.3. The unity element in K. So far, we know which elements on the x\- 
coordinate line represent point 0 and oo and now we construct the point X\ = 1. 
We shall do that by exploiting the group H in full. 

Let 9 be an element of order 3 in H which permutes the basis points ei,e2,e3. 
Pick in Nh((9)) an involution d\ which commutes with e\. Observe that E x (di) 
is a dihedral group of order 8 and therefore e ^ = £3- 

Now turn to the use of homogeneous coordinates. Recall that e2 = (0,1,0) and 
e3 = (0, 0,1). There are two involutions which conjugate e2 and e 3 : 


s (0,l,l)( e 2) — S(o,i,i)((0,1,0)) 

2 ( 0-0 + 1 - 1 + 1 - 0 ) 

0 2 + l 2 + l 2 ( ’ 

= ( 0 , 0 , 1 ) 


( 0 , 1 , 1 )-( 0 , 1 , 0 ) 


= e 3 

s (0,l,-l)( e 2) = s (o,i,-i)((0,1,0)) 

2(0 • 0 + 1 • 1 + (— 1 ) • 0 ) 


( 0 , 1 ,- 1 )-( 0 , 1 , 0 ) 


0 2 + l 2 + l 2 


( 0 , 0 , - 1 ) 


We can assign to d\ the coordinates (0,1,1) and set 


^ 2=^1 = ( 1 , 0 , 1 ) and d 3 = d± = ( 1 , 1 , 0 ). 


So we have now a richer picture: 





BLACK BOX GROUPS PSL 2 (F g ) 


27 


C2 = (0,1,0) 



9.4. More about H. We record for future use that the natural isomorphism 

H —A Sym 4 , 

where Sym 4 is seen as the symmetric group of the set { 0,1, 2,3 } in notation chosen 
in such a way that 

ei H- (01)(23) 9 h- (123) d 1 H- (23) 

e 2 >-A (02)(13) d 2 ha (13) . 

e 3 ha (03)(12) d 3 i ^ (12) 

In particular, 

d 2 3 = d 3 o d 2 = di, e 4 3 = d 3 o e\ = e 2 . 

9.5. Affine coordinates. Taking, as we have already did, the line x 3 = 0 for the 
line at infinity and the lines x 2 = 0 and x\ = 0 for the coordinate axes, we get 


e 2 = (0, oo, 1) 



e 3 = (0,0,1) d 2 = (1,0,1) ei = (oo, 0,1) 


Observe that this assignment of coordinates agrees with action by H. In par¬ 
ticular, conjugations by d 3 moves the points with ^-coordinates 0, 1, oo on the 
xi-axis ei Ve 3 to the points with ^-coordinates 0, 1, oo, respectively, on the X 2 -axis 
e 2 V e 3 . Therefore we can treat both coordinate axes, the xi-axis e\ V e 3 and the 
^ 2 -axis e 2 V e 3 as the two copies of the projective line K U {oo} over the black box 
field K that we will construct on the Xi-axis. 

Now on “this side of infinity”, on the affine plane x 3 ^ 0, the homogeneous 
coordinates of arbitrary point x can be written as 

(xi,x 2 , 1), 

where 

xi = £ e2 (x) and x 2 = £ ei (x) 
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are polar projections of x onto the coordinate axes: 



and we get the classical coordinatization of the affine plane m- 




even before we defined operations of the field K -the latter will be done in the rest 
of this section. 

If x lies on the line at infinity X 3 = 0 then we can take any point x' on the 
line e 3 V x, construct its affine coordinates (x ' l5 x' 2l 1) as above and take the triple 
(x'x, X 2 - 0 ) for the homogeneous coordinates of x. 

9.6. Addition ® on K. Now we can introduce the field operations in the usual 
way, as shown on the following two diagrams, see Hartshorne J2U] for details. 


d\ = (0,1) 



e 3 = ( 0 , 0 ) 


a 


b 


a © b 
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In terms of our toolbox, we first construct 

c = (a V e 2 ) A (d\ V ei), 

then we construct the point at infinity on the line d\ V b and denote it oo d x ,b'- 

oo dl ,b = (di V b) A (ei V e 2 ), 

then a ® 6 is the point of intersection of the line c V d parallel to d\ V b with the 
cci-coordinate axis ei V e 3 : 

a © b = (c V oo du b) A (ei V e 3 ). 


9.7. Multiplication © on K. 



In terms of our toolbox, we first construct the line x\ = X 2 as e 3 V (I 3 , then the 
point c = ( 1 , 1 ) as 

(e 3 V ds) A (d 2 V e 2 ), 

and point d = (a, a) as 

d = (e 3 V d 3 ) A (a V e 2 ), 
then the point at infinity of the line bV c as 

oo b , c = (b V c) A (ei V e 2 ), 
the line through the point d parallel to b V c as 

d V OOb,o 

and, finally, the product a ® b as the point of intersection of that line with the 
Xi-axis ei V e 3 : 

a<S>b = (e 1 V e 3 ) A (d V 00 b jC ). 

9.8. Inversion and negation in K. Forming the negative 

x 1 ^ © x 

and inversion 

x 1 —y x® 

on K are much easier compute than addition and multiplication. Here are two 
useful observations. 
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If x = (x, 0,1) is a point in the ar-axis, 


and 


S(0,0,i)( a: ) 


S(0,0,l)((Xj 0, 1)) 

2(0 • x + 0 • 0 + 1 • 1) 
0 2 + 0 2 + l 2 


(0,0,1) — (x, 0,1) 


(0,0,2) — (x, 0,1) 


(-X.0.1) 


0 x 


s (l,0,l)( a; ) 


S(i,o,i)((x, 1)) 

2(1-x + 0-0 + 1-1) 

l 2 + 0 2 + l 2 


(1,0,1) - (x,0,1) 


(x+ !,0,x+ 1) - (X, 0,1) 
(1,0, x) 

(l/x.0,1) 


x Q . 


Therefore the field operations of taking negative and inversion 

x hA 0 x, x H, x e 

on K are computable by single conjugations. 

This completes the construction of the black box held K. 


9.9. Square roots in K. Given an element x £ K, a number of polynomial time 
Las Vegas algorithms allow us to find a square root of x in K, if it exists. In our 
context, the most suitable appears to be Ozdemir’s singular elliptic curve algorithm 


10. Enforced serendipity: construction of unipotent elements 

10.1. Subplane over F p . Denote by Ko the prime subheld (of order p) of K. 
Starting from element 1 6 K, we can construct the image of every residue modulo 
p by double-and-add algorithm, that is, we can compute the canonical map 

IFp — Z /pZ —y Ko. 

This can be carried on the both x\- and a^-axes. After computing points X\ and 
X 2 on the corresponding axes, we can find the point x = ( xi,x 2 ,1) as 


x = [x\ V e 2 ) A (x 2 V ei) 
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Hence we can construct the image in tp of any point (x±, X 2 , 1) in the affine plane 
over F p . 

10.2. A serendipitous path to parabolic points, Proof of Theorem 11.11 

Let Y be a black box group encrypting PSL 2 (F) for some finite field F of unknown 
odd characteristic p. By Theorem 14.11 we construct a black box group X encrypt¬ 
ing S 03 (F). Then, we construct a black box subgroup H of X encrypting Sym 4 
containing three commuting involutions ei,e 2 ,e 3 of right type. By following the 
procedures described in Section O we have a black box field K with addition, ®, 
and multiplication, together with the procedures for computing multiplicative 
and additive inverses. Let K be defined on the axis e\ V e 3 , that is, 

K = {te^ | t £ T e J. 

Let di be the unit element on the axis e\ V e 3 found as described in Subsection 19.31 

Observe that if p = — 1 mod 4, then adding d\ to itself on the coordinate axis 
e± V e 3 results in constructing the zero element e 3 in the field K after p iterations 
whereas if p = 1 mod 4 then there exists a positive integer c < p such that c 2 +1 = 
0 mod p and so (c— 1)g?i © d\ fails, that is, the procedure for this addition produces 
two involutions t and s whose product u = ts is a nontrivial unipotent element in 
X. 

Thus, if p = 1 mod 4, then we check whether the element u has order c 2 + 1 by 
using repeated square-and-multiply method. In this case, clearly, p = c 2 + 1. If 
p = — 1 mod 4, then obtaining the involution e 3 by adding g?i to itself repeatedly 
determines the characteristic p. To construct a unipotent element, in this case, we 
first find field elements c,d £ ¥ p satisfying c 2 + d 2 + 1 = 0 by using the Tonelli- 
Shanks algorithm. Note that the half of the elements in F p are square. Then, the 
construction of the image in of the point (c, d, 1) results in one of the functions in 
our toolbox returning the result outside of 3, that is, in discovery of two involutions 
t and s whose product u = ts is a nontrivial unipotent element in X. 

So far we tested our algorithm for finding unipotent elements in S 03 (F p ) (in 
an old version of GAP on an old laptop) for 10-digit primes like p = 5463458053, 
which had provided a sufficient proof of concept. 

11. COORDINATIZATION OF THE ACTION OF X ON 3, PROOF OF THEOREM 11.31 
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11.1. Construction of the morphism X —> SC> 3 (K). Abusing notation, let us 
denote strings in X by the same symbols as elements in G ~ SC> 3 (F) that they 
encrypt. 

The aim of this section is to represent the action of an arbitrary element a: £ X 
on the projective plane by a 3 x 3 matrix p(x) with coefficient in K. We shall 
consider several cases: 

Case 1 . We set 


Pie i) = 

'1 0 

0 -1 

l 

o o 

, p(e 2 ) = 

'-10 O' 
0 1 0 

, P(c 3 ) = 

'-1 0 o' 
0-10 


0 0 

-1 


0 0-1 


0 0 1 


Case 2. Now we compute p(u) for an arbitrary involution u £ X in “general 
position” in the sense that u does not commute with any of e*, i = 1,2, 3. 

If now u £ X, involutions Ui = e“, i = 1,2,3, represent in the projective plane fp 
vectors e“. We can compute the homogeneous coordinates (un, u, 2 , ua) of tt, using 
construction from Section [9751 The vector {un,Ui 2 ,Ui 3 ) is a scalar multiple of e“. 
We have to normalize it by finding a scalar Ci £ K such that 

c i \ u il + u i2 + u z3) — 1 


which is done by taking a square root 

Ci = ±J- 


u i3 


(see Section 15111) . The choice of signs ± is dictated by the need to make the matrix 


v=M = (f 


an involution from SC> 3 (K); that is, U has to have determinant 1 and be symmetric. 

The choice of signs could happen to be not unique and defined up to simultaneous 
change of two signs, that is, up to multiplication of U on the right by one of the 
matrices p(ei). Since U and p{et) are involutions, their product Up(ei) can happen 
to be an involution if and only if U and p(ei ) commute, which is excluded by our 
choice of u. 

Case 3. Now let u £ X be an involution not in general position, say u £ C'x(ei). 
Recall that C = Cx(ei) is a dihedral group. If u = ei, we are in Case 1. If u ^ ei, 
we do random search for an involution v £ X such that v and w := u v do not 
commute with any ei, e 2 , e 3 (this condition is satisfied with probability 1 — O(i)). 
Then u = vwv and we can compute p(v) and p(w) as in Case 2 and then compute 


p(u) = p{v)p{w)p{v). 


Case 4. This is the general case. By Lemma [6.21 we know that every a; £ X 
is either an involution, or a product of two or three involutions, say x = uv, so we 
compute 

p{x) = p{u)p(v), 

where p(u) and p(y) are computed as in Cases 2 and 3. 

This gives us an algorithm constructing a morphism 
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11.2. Construction of the morphism SOa(K) —> X. It is well known that 
each element in SOs(K) is an involution or a product of two involutions, therefore 
it will suffice to compute p~ 1 (r) for an involution r £ SOa(K). 

We shall think of r as matrix in the same orthonormal basis in which 



'10 O' 


'-10 O' 


'-1 

O 

O 

P(e 1 ) = 

0-10 

0 0-1 

> 7>(e 2 ) = 

1 

O O 

O 

0 

1 _ 

, P(e 3 ) = 

1 

O O 

-1 0 

0 1 _ 


As it was with computation of p, we can easily reduce computation of p 1 (r) to 
the case when r is in general position, that is, does not commute with any p(ej), 
i = 1,2,3. 

Being an involution, r is a symmetric matrix; denote its rows as Now 

construct in tp points Si which have in the homogeneous coordinates associated with 
the basis ei, e 2 , e 3 the coordinated vectors r,, * = 1,2,3. The preimage s = p _ 1 (r) 
satisfies the condition 

e* — i = 1,2,3. 

and is in general position with respect to {e^}; therefore s is uniquely defined by 
these conditions. 

We can compute an involution t\ £ X such that e ^ 1 = s 1 . Then the element 
(not necessarily an involution) x = st 1 belongs to C = Cx(ei) and sends e 2 to 
e 2 = e 2 (l = S 2 1 £ C. We solve the conjugation problem once more, this time in C, 
and identify this element x £ C; it is defined uniquely up to multiplication by an 
element from E = (ei, 62 ), so we get a coset Ex as an answer. Now s £ Exfi, and, 
being in general position, is the only involution there. 

11.3. Construction of the morphism SC> 3 (F) —> SOs(K). Since, in this case, p 
is known, the order q of the field on which X is defined can be found by Algorithm 
5.5 in [39]. Let F be standard explicitly given finite field of order q and Fo be 
the prime subfield. Assume also that Ko is the prime subfield of K. Then the 
isomorphism Fo —> Ko can be extended to an isomorphism in time polynomial in 
the input length to an isomorphism F —> K [27]. 

12. Complexities 

In this section, we compute the complexities of the main procedures presented 
in this paper. 

Let X be a black box group encrypting SOa(F) for some finite field F of odd 
characteristic. Let p denote an upper bound on the time requirement for each 
group operation in X and £ an upper bound on the time requirement, per element, 
for the construction of random elements of X. 

Recall that we are working under the assumptions of Axioms BB1-BB3 and 
either BB4 or BB5. To that end, we denote by p an upper bound for time required 
for any of the following operations: 

• given an element x £ X, determine whether it is of odd or even order; 

• given an element x £ X of even order, compute an involution in (x); 

• given an element x £ X of odd order, compute its square root i/x in (x). 

If E is a global exponent of X, then it is easy to see that p = 0(p\ogE). 

We shall express complexities of our procedures in terms of p, £, p and E. If the 
size |F| = q of the underlying field is known in advance, then we have p = 0{p log q) 
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and E can be chosen to be O(logg) but we do not assume that knowledge in the 
estimates that follow. We set E = 2 m n where (2, n) = 1. 

12.1. Constructing an involution in X. At least the quarter of elements in X 
are of even order eh Corollary 5.3], therefore an involution can be constructed 
from a random element in time 0(£ + p). 

12.2. Centralizer of an involution s in X. We shall use the map (f from [7], 
which produces uniformly distributed random elements in Cx(s). By the structure 
of tori and their conjugacy classes in X, it is easy to see that the product of 
two conjugate involutions has odd order with probability bounded from below by 
constant, see, for example, [33] • Since C := Cx(s) = T s xi (w), where T s is a 
torus of order (|F| ± 1) and w is an involution inverting T s , the half of the elements 
in C are the involutions inverting T s and, by EH 1-8], the probability of finding a 
generator of T s is 0(1/ log log |F|). Hence the black box group C can be constructed 
in time 0((£ + p + p) log log E). 

12.3. Reification of an involution in X, Lemma 14.21 Given two involutions 
s,t £ X, we shall find the complexity of constructing the involution j := j (s,t) 
which commutes with both s and t. 

Set z = st ; it is computed in time p. Testing z for being of odd or even order 
takes time p. 

If z has even order, then j £ (z) can be computed in time p, giving the total 
time p + 2 p. 

If z has odd order, then we construct Cx(s) in time 0((£ + p + p) log log .E) as in 
Subsection 112.21 Note that the elements in the generating set for Cx(s) which are 
not involutions can be taken to be generators for the torus T s containing s. Let St, 
be a generating set for T s . By EH L8], we can take | Sr e \ = 0(log log |F|). Clearly 
S = St s U { z } is a generating set for X and computing the action of j on S takes 
0(p loglog |F|) time. Hence, we run the product replacement algorithm on S to 
construct a random element x together with its conjugate x°. This takes time 2£. 
Since the elements of the form x J x have odd orders with probability bounded from 
below by a constant, see [33], the construction of Cx{j) takes 0((£+p+p) log log E ) 
time. Finally, the involution j can be constructed from an element of even order 
from the torus in Cx(j) by square-and-multiply method. Hence, if z has odd order, 
the overall cost is 0((£ + p + p) log log E). 

12.4. A line through s and t. Given two involutions s,t £ X, the line passing 
through s and t is the coset TjS where j = j(s, t) is the involution commuting with 
both s and t and Cx(j) = Tj xi (s). Therefore, by Subsection 112.31 the total time 
needed to construct j and Cx{j) is 0((£ + p + p) log log E). 

12.5. Intersection of two distinct lines k and 1. Given involutions si, S 2 , t\,t 2 £ 
X, where si,S 2 define a line k and t\,t 2 define a line 1, the intersection of k and 
1, if exists, is the involution j(j(si, S 2 ), j(ti, £ 2 ))- Therefore it can be computed in 
time O ((£ + p + p) log log E). 

12.6. Tonelli-Shanks algorithm, Lemma 12.11 We follow the outline presented 
in the proof of Lemma 12.11 Let T be a cyclic black box group and let E = 2 m n 
be an exponent for T with n odd. Let z £ T be an element that has a square 
root in T. Checking whether z has odd or even order takes p time. If |,z| is odd, 
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then the square root of z, which is z^ z I+ 1 )/ 2 , can be constructed in time p. If \z\ is 
even, then we need to look for an element of maximal 2-height. Observe that the 
proportion of the elements of maximal 2-height in T is at least 1/2 and computing 
the 2-height of an arbitrary clement takes time p. The elements a, b, c in the proof 
of Lemma I2TT1 can be set up in time p log E and finding the smallest d takes at most 
pm time. As the recursion has at most m steps and each step takes at most plogE 
time, the over all construction takes 0(p + £ + pm 2 log E) time. 

12.7. Bisection of angles, Lemma 16.11 Given two conjugate involutions i,j £ 
X, we shall find the complexity of constructing a conjugating involution x £ X, 
that is, i x = j. The construction of x involves only finding the square root of z = ij. 
Therefore it takes 0(p + £ + pm 2 log-E) time, see Subsection 112.61 

12.8. Representation of an arbitrary element as a product of involutions, 
Lemma 16.21 This is an another application of a reification of an involution and it 
takes 0((£ + p + p) log log E) time. 

12.9. Construction of Sym 4 , Theorem 18.11 We construct an involution iffX 
and check whether i is of right type. If i is of right type, then the proportion 
of elements in Cx(*) whose orders are divisible by 4 is at least 1/4. Therefore, 
constructing an involution i and checking whether i is of right type or not takes 
0(£ + p + plogE) time. Similarly, constructing another right type involution j 
which commutes with i takes 0(£ + p + plogE) time. Finally the construction of 
an element of order 3 permuting, i. j , ij takes 0(£ + p log E) time. Hence the overall 
construction takes 0(£ + p + p log E) time. 

12.10. Coordinate axes and unit elements. The construction of coordinate 
axes involves the construction of three commuting involutions of right type and 
their centralizers, so it takes 0((£+p) log log E+p log E log log E) time, see Sections 
112.21 and 112.91 Moreover, constructing the unit element on one of the axes takes 
O(p) time. 

12.11. Addition and multiplication in K. On the coordinate axis e\ V e^, that 
is, T 62 e 3 where T e2 is the torus in Cx^), we shall find the complexity of a ® b 
and a ® b for given two involutions a, b £ T 62 e 3 . 

Addition involves process of four reifications of involutions and three intersections 
of lines, and multiplication involves process of six reifications of involutions and 
four intersections of lines. Hence both addition and multiplication takes 0((£ + p + 
p) log log E) time. 

12.12. Finding the characteristic and constructing a unipotent element, 
Theorem 11.11 Let p denote the characteristic of the underlying field. The con¬ 
struction of a coordinate axis, say e\\l ej, = T 62 e 3 , and the unit element u £ e\\J 
take 0((£ + p) log log E + p log E log log E) time, see Subsection 112.101 

Computing the characteristic p of the underlying field involves at most p addi¬ 
tions in K. Therefore, it can be computed in time 0(p(£+p+p) loglogE)+plogE). 

Note that if p = 1 mod 4, the procedure for the computation of the characteristic 
p also produces a unipotent element. To construct a unipotent element when p = 
— 1 mod 4, we first find field elements c,d £ F p satisfying c 2 + d 2 + 1 = 0 by using 
Tonelli-Shanks algorithm. By m page 212], this takes 0(k 2 log 2 p) time where k 
is the maximum power of 2 such that 2 k divides p — 1. Then, the construction of 
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the involutions u G e 1 V e 3 with the coordinate (c, 0,1) and v G ei V en with the 
coordinate (0, d , 1) takes 0(logp(£ + p + p) log log E). The intersection of the lines 
passing through e 2 and u, and e\ and v has the coordinate (c, d, 1). Clearly the point 
(c,d, 1 ) lies on the quadric, so the procedure to construct the intersection of these 
two lines produces a unipotent element. Thus if p = — 1 mod 4, the the construction 
of a unipotent element takes 0(p(£ + p + p) log log E) + p log E log log E + k 2 log 2 p). 

We note here that if p is given as an input, then, by using double-and-add 
method, one can construct a unipotent element in time 0 (logp(£+ p+p) loglogC) + 
p log E log log E) Up = 1 mod 4, or 0(\ogp((£+p+p) log log E) +p log Slog log E+ 
k 2 log 2 p) if p = — 1 mod 4. 

12.13. Morphism X —> SOa(K). We shall find the complexity to represent an 
involution u G X in SOs(K). Observe that it is enough to compute the complexity 
when u does not commute with some commuting right type involutions e\, e 2 , e 3 G 
X. Then, together with the computations in Subsection 112.81 the complexity of the 
representation of an arbitrary element follows. 

1: Construction of right type involutions ei, e 2 , in X takes 0(1;+p+p log E) 
time. 

2: Computing the homogenous coordinates of e“ = (uu, Uvz, it^) involves the 
construction of coordinate axes, unit elements on the corresponding axes 
and the intersection of the corresponding lines. Hence the overall cost is 
0((£ + p) log log E + p log E log log E). 

3: Normalization of (un, Ui 2 , iq 3 ) involves the computation of a , ji , ■> and 
its square root q in K. The computation of the quotient takes 0((£ + M + 
p) log log E) time and, by using, for example, [29 : , Algorithm 1], the com¬ 
putation of square roots in K involves constant number of Held operations 
and double-and-add method in K so it takes 0((£ + p, + p) log Elog log E) 
time. 

4: The time needed to compute the matrix U = (- 7 ^ is 0((^+p+p) log log E). 

5: Adding all the complexities above, we get 0((£ + p + p) log .Elog log E). 

12.14. Morphism SOa(K) —» X. Let r € SC> 3 (K) be an involution. As in Subsec¬ 
tion 112.131 it is enough to find the complexity for the construction of a black box 
group element representing r when r does not commute with p(e\), pfa), pfa). 
Let ri,r 2 ,r 3 be the rows of r. Constructing the involutions si,S 2 ,S 3 G ip with 
the homogenous coordinates ri, ?~ 2 , r 3 involve only reifications of involutions and 
intersections of lines. Therefore it takes 0((£ + p + p) log log ill) time. 

Constructing the desired involution s € X such that ef = s t involves two times 
bisection of angles so it takes 0((£+p,+p) log log E+pm 2 log E) time by Subsection 

mi 

Writing an arbitrary element x € SOs(K) as a product of involutions involves 
only reification of an involution r that inverts x and a random element y G SC> 3 (K). 
Since a matrix multiplication and taking inverse of an element in SOs(K) involves 
only constant number of multiplications and additions in K, it takes 0((£ + p, + 
p) log log E) time by Subsection If 2.141 Therefore, constructing C'so 3 (K)( 7 ') takes 
0((£ + p + p) log log 2 E log E ) time. 

Hence the overall cost to construct the black box group element representing r 
is 0((£ + p + p) log log 2 E\ogE + pm 2 log E). 
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13. Concluding remarks 

Without doubt, algorithms presented in this paper can be considerably improved. 

First of all, in many applications the embedding PSL 2 PGL 2 ('Theorem 14.ID 
is already given for free. I 11 particular, root SL 2 -subgroups in groups of Lie type of 
rank at least 2 already live inside GL 2 . 

Secondly, it is likely that some gains in speed can come from treating separately 
the cases q = 1 mod 4 and q = — 1 mod 4 of black box group encrypting (P)SL 2 (F g ). 

There is a possibility that multiplication and addition of points on a line can be 
made faster by a fuller use of technique from projective-metric geometry |34j . 

In this paper, we described several different algebraic and geometric structures 
associated with SO 3 . Our aim was to prepare ground for a more systematic study of 
possible—and, among them, optimal—data formats for subgroups, lines and points 
in the black box group environment. 
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